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Get file attributes 



10 



Is file resource a symbolic link? 



No 



Do Normal Resource 
Processing 



Yes 



12 



Retrieve symbolic link's target name and get 
target attribute information 



-13 



Add target resource and symbolic link 
resource to the database of protected 
resources 



Figure 1 
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Set resource as a child of the link in the 
symbolic link 



Set symbolic link as the parent in the target 
resource 



Add (parent) symbolic link as entry in the 
protected resource database 



Add (child) target resource as entry in the 
protected resource database 
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Figure 2 
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Get file object by following symbolic 
link 



I 



Search protected object database for 
entries protecting file object 



2.o 



72- 1 



Any entries found? 



Ho 



Done, object is not 
protected, grant access 



Yes 



Get next entry in list 



Call access decision component to 
obtain access decision for entry 



No 



Access Eranted? 




Deny access 










\ 


Yes 


No 
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More entries in list? 


Grant access 




Yes 
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Figure 3 
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Start search with first candidate entry 



3o 





i 


r 


Yes 




Does entry match search resource? 
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No 
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Get next entry to search 


ss 


No 
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End of entries to search? 














Yes 
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Return list of found entries 


3"? 





No 
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Is entry child 






Return entry as 


resource? 




only found entry 



I Yes 



Get parent and add 
to found list 
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Figured 
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42 



46 



48 



Get file object for symbolic link target 



I 



40 



Search protected object database for 
entries protecting file object 



Any entries found? 



Yes 



Get next entry in list 



Call access decision component to 
determine if the entry 's protections 
allow for the creation of new symbolic 
links 



Creation allowed? 



Yes 



More entries in list? 



Yes 



41 



No 



Done, object is not 
protected, allow create 



44 



45 



No 



Deny create 



43 



47 



No 



Allow create 



49 



Figure 5 
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5 Example High Level Architecture Relationship between an External Authorization Manager 

and the Described Symbolic Link Security Method 



Policy Database 
for File System 
Resources 



Master Policy Database 
Manager 



Authorization (AZN) 
Decision Engine 



Rfmt of Enforcement 



Accessing Users and 
Programs 



Protected Object Database 

- hold entries of protected objects 

- for links holds parent symbolic link entries 

■ holds child resource entries for targets of symbolic links 

- services search requests from interceptor 



Operation Interceptor: 

- intercept application calls 

- search protected object database 

- call access decision engine 

- enforce results 



Native Operating System Services 



Figure 6 
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